session help

xlordt

Im creating a users loggin script with sessions.. but for some reason its not updating to the database.. once i hit refresh on my browser... here is the session functions code

//Starting session functions
session_start( );
function starting_session( ){
global $_GET, $REMOTE_ADDR;

//Start session and see if variable $ENTRYS is registered with session_register( )
//else if it is, then just update the database with the new session info

if( !session_is_registered( "ENTRYS" )){   

      session_register( "ENTRYS" );
	  $ENTRYS[1] = $_GET['user_name'];
	  $ENTRYS[2] = $REMOTE_ADDR;
	  $ENTRYS['id'] = session_id( );
	  print_r ( $ENTRYS );

  mysql_query ("INSERT INTO sessions VALUES( 0,'{$ENTRYS['id']}','$ENTRYS[1]',NULL,'$ENTRYS[2]' )")
  or die( mysql_error( ));

}

if( session_is_registered( "ENTRYS" )){
       print_r ( $ENTRYS );
      mysql_query( "UPDATE sessions SET started=now() WHERE Uname='{$ENTRYS[1]}'" ) or die( mysql_error( ));
 }

//If user has been inactive for more then two minutes then delete the session
//information from the session table
 mysql_query( "DELETE FROM sessions WHERE started < DATE_ADD( NOW( ),INTERVAL -3 MINUTE )");

}

See what im doing is that on my loggin script.. once the user has inputed the correct passwd then start the session.. here is my users loggin code

if( isset( $_GET['submit'] )){
 if( !empty( $_GET['user_name'] ) and !empty( $_GET['_pwd'] )){
     $S = mysql_query( "SELECT *  FROM Users WHERE AcctName='{$_GET['user_name']}'" );
     $A = mysql_fetch_array( $S ) or die( mysql_error( ));

 if( $_GET['_pwd'] == $A['Passwd']){
	 starting_session( $_GET );
	 print "accepted";
	 print_r( $ENTRYS );
	 //echo "<meta http-equiv=\"refresh\" content=\"0; url=/loggin.php\">";
 }else{
      print "Password incorrect";
   }
 }else{
        print "You did not fillin all the blanks";
    }
}else{

//Starting the user loggin theme
echo '
     <form method="get">
	  <table cellpadding=2 cellspacing=2 border=1 align="left">
	   <tr align="left">
	    <td align="left" valign="top">
         Username:</td><td align="left" valign="top">
		 <input type="text" name="user_name"></td></tr>
		 <tr align="left">
	     <td align="left" valign="top">
		 Password:</td><td align="left" valign="top">
		 <input type="password" name="_pwd"></td></tr>
		 <tr align="left">
	     <td align="left" valign="top" colspan=5>
		 <input type="submit" name="submit" value="submit">
		</td>
	   </tr>
	  </table>
	 </form>';

The only problem is that once i hit refresh it does not update the time to the database.. can anyone help? I posted this else ware.. but im just out of luck.. and i also lack in posting communication =(

Bijan

Hi,

first of all you don't have a lack of communication skills, because I liked your post and I read it!

Well, about your code, first of all I don't like that starting_session() function, because I don't think that it's an efficient way of sessioning. You're using 2 global variables that's kind of ugly in here. Anyways, let's start things from the beginning:

You are calling your starting_session() function in your login area and you're passing an argument to it:

if( $_GET['_pwd'] == $A['Passwd']){ 
         starting_session( $_GET ); 
         print "accepted"; 
         print_r( $ENTRYS ); 
         //echo "<meta http-equiv=\"refresh\" content=\"0; url=/loggin.php\">"; 
     }else{ 
          print "Password incorrect"; 
   }

And also the form that you're using doesn't have an action attribute. Whenever you write a form, don't forget to set the action attribute to $_SERVER["PHP_SELF"] or you'll have problem when refreshing the page.

Also it's no need to use session_register and session_is_registered because they're deprecated. If you have any other questions, don't forget to write the structure of your tables that I can see what you're doing.

Good luck

xlordt

The only thing that i really need to find out is how to get it update the database in the started field (timestamp).. and what is the best way for me to code this.. if global is not a good way of doing it.. how do you see this in a better coding session style

what i have in my table are these fields

is it a good idea to add the function then the passwd is correct or do i need to add it else ware.. to check for session existance? its just not updating to the current time... cause if it doesnt then it will be deleted on every 3 minute

anyways here is an example for a session testing..
when i first loggin in i get..

Array ( [1] => xlordt [2] => 66.50.75.190 [id] => 38fdf37d92824a8ecc315d264724be6 )

and it gets updated to the db.. but.. then when i refresh..
that goes away.. and the db does not update to the new time

Bijan

Well, there are lots of questions that you asked, but let's go one by one:

When I say it's not a good way of using globals, or better to say when someone say that your coding style isn't that beautiful, it doesn't mean that it doesn't work. It only means that it could have been better. When you're using a function, you should pass variables to it (using arguments), but in here, you're not passing anything to your function and instead using global variables. Also you're using $GET which is a super global array, it means you don't even need to use the global keywork in a function or class that it can recognize it, these super global variables are defined in the global scope, it means wherever you call them, you can get them. Then you're using $REMOTE_ADDR which is pretty old, instead you can use $SERVER["REMOTE_ADDR"] and then if you wana use it, you don't need to call that global keyword either.

But if it's me, I wouldn't even use a function for sessioning a person in here, because it's no need that you do that! You write a function when you wana use it in multiple places, but in here, you only use your function once in the login script. So, it's better that in the login page you check for the username and password, then if it's right, you session your user and also write his info in your session table. Then in each page you should check to see if the user is sessioned, and if not, you should send him back to your login page. Then you should delete all the records from the db that are older than 3 minutes, and then try to select the user in the table, if you can not find him, it means he's expired and you should redirect him to the login page again. I also think that using 3 minutes as your time limit isn't enough, you should put 15 or 30 minutes at least, how many pages should your visitor see in only 3 minutes?! Ok, then you should update the time of your user. Don't forget that you should do all these things in all your pages. So, You can put them in a file and include it in all your pages.

There is something else that I forgot to mention, you are NOT using the super global $SESSION array, which means you can not access your sessions in your starting_session function unless you have:

global $ENTRYS;

So, my suggestion is that you totally use the $_SESSION array and do not use these deprecated functions.

It's also a good idea to write that Updating line alone, means not in any if, that you see if it works. If it doesn't then it's something wrong with your DB (that I really do not think it's your case), but if it does, then you should do the changes that I said in your code and tell us what happend in your journey, ok?!

Happy coding,
bijan

xlordt

ok i did what ya told me and it does work better.. exept that one thing that im tring to find is.. how do i check.. if the user still contains the session in his/her system.. i because.. i changed my code around but.. once they loggin and i transfer them to the other page.. the session wont update unless i add..

require_once( 'functions.php' );

in the page that the users will be transfered.. its weard i dont know.. im just pulling my hair out here.. anyways.. here is what i did

session_start();
function starting_session( ){

//Start session and see if variable $ENTRYS is registered with session_register( )
//else if it is, then just update the database with the new session info

  $_SESSION[1] = $_GET['user_name'];
  $_SESSION[2] = $_SERVER["REMOTE_ADDR"];
  $_SESSION['id'] = session_id( );
  $_SESSION['A'] = 2;

  $CHECK = mysql_query( "SELECT * FROM sessions WHERE Uname='$_SESSION[1]'" );
  $COUNT = mysql_num_rows( $CHECK );
  if( $COUNT == 1 ){
       mysql_query( "UPDATE sessions SET started=NOW() WHERE Uname='$_SESSION[1]'" ) or die( mysql_error( ));
  }else{	 
       mysql_query ("INSERT INTO sessions VALUES( 0,'{$_SESSION['id']}','$_SESSION[1]',NULL,'$_SESSION[2]','{$_SESSION['A']}' )");
 }

//If user has been inactive for more then two minutes then delete the session
//information from the session table
 mysql_query( "DELETE FROM sessions WHERE started < DATE_ADD( NOW( ),INTERVAL -1 MINUTE )");

}

the loggin script is still the same.. see.. what i want to do is check for the session and if he/she still have it.. then update db.. else if the session is older then 3 min then delete( btw 3 minute is only for testing ) but.. like i said.. im pulling my hair out here.. heh first time i mess with sessions =(

Bijan

Hey, you don't have to see if he still has the session! I'm still telling ya to remove your function and use normal code, because it's no need to use a function in here, you use this code once and only in your login page. Here it is what you should do in your login page:

See if he entered the right username/password. If he entered an invalid thing just redirect him to another page and use exit() to close your page. It's no need that you use that big if/else if else structure. I usually use break and exit in my code. It's just easier.
If he is a valid user, session him and book him in your session table with the current time + 3 minutes ==> DATE_ADD( NOW(), INTERVAL 3 MIN ); I also assume that the field that holds the expiration time is called exp_time
Now you should check in all your pages to see if the person is sessioned ( the $SESSION variable is set ), if he is not, redirect him to your login page and exit(), no need to use if/elses. And if he can pass this test successfully, then: DELETE FROM sessions WHERE exp_time < NOW(); and now you should SELECT * FROM sessions WHERE uname = $SESSION["uname"]; so, if you can find this record, it means your user is not expired yet and you can still let him work with your site, so, you should UPDATE sessions SET exp_time = DATE_ADD( NOW(), INTERVAL 3 MIN ); by doing this you let him stay in your page for 3 minutes, it means he should go to another page during this time to get updated, or he'll die!
[/list=1]

Well, it's the way that I coded my authentication system. If you have any other questions, I'd be glad to answer 😉

xlordt

Ok i have just one more question... Once they are transfered to the other page after the success loggin.. how do i check to see if the session still exists.. do i add

if( !empty( $_SESSION['Uname'] )){
   //Keep going with the page...
}else{
    //transfer to loggin page
}

Is this correct? cause.. i dont want to use cookies...
cookies are to vul, and i have read that sessions is more
secure and faster then cookies.. so this is why im using sessions

Bijan

By using sessions you're using cookies too! Of course if your cookies are enabled. Each session has a session id (SID) that is transfered through the pages in your cookies, or if they're disabled, in your URL. So, this SID is your id, it is the number that the server recognizes you with.

About that if/else thing, as I told ya you can simply use exit() instead of a big if/else, look:

if ( !isSet($_SESSION["uname"]) )
    die("<meta http-equiv='Refresh' Content='0;URL=loginpage.php' >");

# If you are here, it means that your user has a valid session
# Now you should delete the old records from your session 
# table in the database and try to find a record with the uname
# of your user, if you can find such a record, it means he could
# pass this level too, if you can not, then you should redirect him
# to the login page again!

Edit: That empty() function that you used was also correct.

xlordt

Heh hehe after a long night of trying and pulling my hair out.. i finaly got it working.. i coded it a diffrent way.. but it works.. heh please let me know what ya think.. and if there is anything else that i can do to make it succed in a better manner.. else.. thanx you have been alot of help..

loggin.php

if( isset( $_POST['submit'] )){

 if( !empty( $_POST['user_name'] ) and !empty( $_POST['_pwd'] )){

 $S = mysql_query( "SELECT Passwd FROM Users WHERE AcctName='{$_POST['user_name']}'" );

//Check for users in the database.. if the users exists.. then, lets move on to the Password if not 
//show users error. If the Password is not correct then show Password error

  if( $A = mysql_fetch_array( $S )){

 if( !$_POST['_pwd'] == $A['Passwd']){

      print "Password incorrect";
   }

  }else{
     die( "User was not found" );
  }

 }else{

    print "You did not fillin all the blanks";
 }

//On loggin success register the session name LOGGIN and procced to the
//next pade ( t.php ).

 session_start( );
 session_register( "LOGGIN" );
 $LOGGIN[0] = $_POST['user_name'];
 $LOGGIN[1] = session_id( );
 mysql_query ("INSERT INTO sessions VALUES( NULL,'$LOGGIN[1]','$LOGGIN[0]',NULL,'{$_SERVER['REMOTE_ADDR']}',2 ) ")or die( mysql_error( ));
 $url = "Location: t.php?".$LOGGIN[1];
 header( $url );

}else{
//Starting the user loggin theme
echo '
     <form method="post" action="'. $PHP_SELF .'">
	  <table cellpadding=2 cellspacing=2 border=1 align="left">
	   <tr align="left">
	    <td align="left" valign="top">
         Username:</td><td align="left" valign="top">
		 <input type="text" name="user_name"></td></tr>
		 <tr align="left">
	     <td align="left" valign="top">
		 Password:</td><td align="left" valign="top">
		 <input type="password" name="_pwd"></td></tr>
		 <tr align="left">
	     <td align="left" valign="top" colspan=5>
		 <input type="submit" name="submit" value="submit">
		</td>
	   </tr>
	  </table>
	 </form>';

}

and here is the page that it transfer ya to..

t.php( temp )

session_start( );

//Check for the registered session called LOGGIN. IF the
//session does not exists then.. transfer the user to the loggin page

if(!( session_is_registered( "LOGGIN" )))
{
      session_unset( );
      session_destroy( );
      $url = "Location: loggin.php";
	  header( $url );

 }

if( isSet( $_GET['mode'] ))
{

  mysql_query( "DELETE FROM sessions WHERE Uname='$LOGGIN[0]'");
  session_unset( );
  session_destroy( );
  $url = "Location: loggin.php";
  header( $url );

}

  mysql_query( "UPDATE sessions SET started=NULL WHERE Uname='$LOGGIN[0]'" );

  $SELECT = mysql_query( "SELECT * FROM sessions WHERE Active=2" );
  while( $DATA = mysql_fetch_array( $SELECT )){
  $session_user .= $DATA['Uname']."<br>";
  $session_time .= $DATA['started']."<br>";
   }

print "Online Users:<br>$session_user";
echo "<br><a href=\"$PHP_SELF?mode=logout\">Loggout</a>";
//print_r( $LOGGIN );
mysql_query( "DELETE FROM sessions WHERE started < DATE_ADD( NOW( ),INTERVAL -15 MINUTE )");

I sure hope this looks better in your experiance eyes hehe =)

ewww i hate it when the forum does this ( the width part )

Bijan

Congradulations! So, finally you worked it out. Ok, to be honest with ya, I don't have time to read all your code, but from the parts that I saw, I can tell ya these stuff:

Once again I'm telling you you don't need to use long if/elses, for the first lines of your code, you can simple write:

if(  !isset( $_POST['submit'] ))
    die("<meta http-equiv=Refresh ........."); # I really don't wana finish the syntax! 

if( empty( $_POST['user_name'] ) || empty( $_POST['_pwd'] ))
    die("<meta http-equiv=Refresh ......");

By the way, what's that and that in your if condition?! Shouldn't it be && ??

Then you wrote:

if( $A = mysql_fetch_array( $S )){ 
.
.
}
else
.
.

Well, this if is always true, because you're assigning something to $A, it means you're not using ==, but you're simply using =, so, it's always true and the else never gets excecuted.

Once again you're using session_register(), you really do not need to do that. If you use $SESSION["something"] = "someValue" it'll work and you don't need to use session_register. For checking to see if a session is registered, you can type:

if ( isSet($_SESSION["LOGIN"]) )
    #Do something

Hope that it helped and keep on with the good work 😉

xlordt

well honestly this part of my code

if( $A = mysql_fetch_array( $S )){  

. 
. 
} 
else 
. 
.

works perfectly fine the else does get executed =) and ya your way is better so i changed to .. using $_SESSION[ ] thanx to that.. =) i have one verylast question.. in with it would be good for other users as well.. what is the best way... to have the users loggin posted.. is it better to have it posted to another script... or in the same script.. cause when i use post.. i cant refresh.. cause then it will just repost the users.. else if i was to use get.. then the users info will still be in the url.. and i dont want that as well.. with way is better ... what do ya recomend?

Bijan

I couldn't fully understand what you mean. As for as sending variables through the pages, I always use the POST method and of course you're using sessions too, so, you shouldn't have any problem 😕

stolzyboy

btw bijan, just for clarification, you can use "and" for conditions instead of &&, but it does have different order of precedence that &&

xlordt

Hmm let me try to explain this.. example::

once the user hits on loggin button.. would i have the post transfer them to another page for session validation and then transfer back to the main page? cause if i was to do it right on the main page.. then i woult be able to refresh if cause then the post method will be reposting them again... take the forum for example... once you sign in it takes ya to a diffrent page.. then back to the forum

Bijan

Thank you stolzyboy, I didn't know about that operator. I always try to use the normal things that we can find in all languages! If I don't get used to proprietary things, I can learn new things faster.

About your case xlordt, I see no problem that you do the password checking in the same page. You should do something like this:

// pseudo code
if ( logged in successfully )
     redirect him to your main page that contains the important data

// Now that he is still in here, you can show your form and ask for the username and password, notice that I'm not using an else in here, because I don't need it

As you see, if his info is correct, then he'll be redirected to another page, so, he won't have time to refresh the page (unless he's really waiting for it!!). So, does it answer your question?